Solved

Account Lockout

Posted on 2011-03-08
7
366 Views
Last Modified: 2012-05-11
I have a few user accounts.  Mine being one of them that keep getting locked out.  I checked the security logs on the system and it is constantly coming from a single machine on the network.  This just started today.  If I turn the machine off then all is well.  If I turn it back on...  well I'm guessing one of the services is using credentials.  The other is a user that is no longer with the company, and who's account has been disabled for quite some time.  Is there a way I can find out what services are using these credentials on the server??  Any guidance would be greatly appreciated.
0
Comment
Question by:Infamous_Q
7 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 35075064
0
 
LVL 3

Expert Comment

by:Rhyseh
ID: 35075145
We had a similar issue some years ago where one of our servers missed an update and got a malware infection. It then proceeded to attempt and brute force its way into our network by repeatedly sending validation requests with random users account names. This cause the accounts to become locked.

We fixed this by patching the server and manually stamping out the infection, however if this is a client machine I would just give it a reimage and get rid of this headache.
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35077481
Since you traced it to one computer, you are already half way there. Next you have to check all services.

BTW, what OS is the offending machine running? If Windows 2000 + then go to start\run\ and then type services.msc and press OK. This will start the services applet. In here check the Log On As Column to see if the account that is being locked out is there.

Also, internet explorer might be trying to access a server with the username that is locked out. Check all passwords that are stored on the machine. In XP you can type control userpasswords2 and see all the username/passwords stored. In Win7, open control panel, go to user accounts then click on Manage your credentials. Also, you can use Internet Explorer to delete all history,stored forms passwords etc.

The last thing to check is if there is any program running that might be trying to login to your servers. Open up the Task Manager and see if there is any "dodgy" process. Kill it and try to stop it from starting again, restart the computer and monitor.

It is a slow process to get this sorted but if you follow the correct path, you will get there.

Regards
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Expert Comment

by:sam0x01
ID: 35079267
Any authentication request from that computer could be causing it.

This may come from a service, scheduled task, program that runs in the backgound.

Running schtasks /v on the computer or schtasks /S [computername] /v remotely while the computer is powered on will show the scheduled tasks and the credentials they run under

Running wmic service get displayname,state,startname will show the services, state and username

Running wmic /node:[computername] service get displayname,state,startname remotely will do the same.

If this is a program not runnign as a scheduled task or a service, if it is a desktop, rebuilding it would bethe easiest thing to do.

Otherwise opening each installed program and script on the server will eventually find the one that is causing it.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35083955
Thanks for all of the advice.  I will be working on this issue today to see where the problem is.  I'll post an update as soon as I have something.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35096137
So the services on the system are all running as local or network services, and I just finished running a full scan for virus/spy ware.  Nothing so far. there are also no scheduled tasks on the machine.  To answer an above question this is a server 2003 machine.  However its not running all of the latest updates.  I will update the machine and install the lockout tools and post results.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35117149
I updated the system to the most recent.  And Used the tools.  After finding the reason using the tools I was able to kill the rogue service and fix things.  Thanks Very much for all of your help.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question